Pre-release of a pessimistic post about user freedom/free software losing ground due to the rise of network services
10 votes dis.k — 10 votes, 9 commentsSource

This is a very long post about free software being displaced because proprietary networks force us to install nonfree software dependencies. I planned to post this on my blog, but I am not sure it’s anything more than a rant. The freepo.st community is the one community I participate in that I think could help me understand where I am wrong, where I am just angry, and perhaps where I have valid points.


User freedom in the era of Whatsapp

For a really long time, one of my main advocacy causes has been the
promotion of software that is free-as-in-freedom (also known as
open-source; henceforth simply free). I have been using GNU/Linux
for what must be a decade by now, and every time I have to buy new
hardware (and that is not often, I like to keep hardware for as long as
it boots), I try really hard to choose devices that require the least
amount of non-free software and firmware. I can say that on what we
traditionally consider to be “computers”, i.e. desktops and laptops,
this is quite easy to achieve. Unfortunately, currently unavoidable
sacrifices are needed when you have to use a mobile device (a smartphone
or a tablet), or some web applications (e.g. my university’s student
management system). I try not to be an absolutist though. Having to use
a non-free application doesn’t make you a bad person (but it is still
bad for you). I do agree with GNU and FSF that creating non-free
software is immoral though.

The reason I am writing this post is more specific though. As I wrote
earlier, user freedom is reasonably achievable on traditional computers
without significant sacrifices. It’s more difficult in the mobile world,
and quite hard online. Nevertheless, in the mobile space you could limit
the compromises to the lower-level aspects of the device, and online you
could make exceptions on website-by-website basis. Network services came
to undo this progress though. By that I mean that social networks and
messengers came to be a potent threat to the advances of free software.

Here, I think it’s crucial to make clear that what will follow is not an
argument around privacy. I find it unfortunate that in the recent years,
advocacy for free software and especially free network services has been
almost exclusively focused on the supposed privacy benefits free
software brings. While true to a significant extend, privacy is not the
only, or even main point of software freedom. Obviously, when you have a
piece of software that is tasked with relaying your thoughts (often
personal and intimate thoughts) to trusted recipients, an aspect of
being able to “study how the software works” (Freedom 1) is indeed so
that you can make sure that the software makes a best effort to preserve
the integrity and privacy of your communications. It’s not just that
though. I personally run an XMPP server, and yes, I have OMEMO
encryption on Always On (but also with Blind Trust Before Verification).
More importantly to me though, having my own XMPP server means that I
get to tweak some settings that are important for me, like how long
message history is kept, the maximum size of file transfers, and which
ports and hostnames I can communicate over (it’s important to have
control over this on strictly firewalled networks). Those are minor
changes that didn’t even require me to modify the server’s source code,
but other people with even more specific needs can and do make more
changes. Moreover, by being on XMPP, I have a free choice of XMPP
clients, and so do the people I communicate with. For example, I am
quite happy using Dino on GNU/Linux, but one of my friends prefers
Gajim. Another friend uses a legacy version of Conversations on Android,
while I use the latest release. With proprietary network services, the
underlying protocols are only implemented by the service’s own client,
which rarely is free software and/or available for free operating
systems. Of course, you have very little power to customise the client,
and no power on the server.

On my peak of convincing people to join me on XMPP, I had six contacts.
Five of them used accounts I provided for them on my server, and one of
them already had their own. Other friends and peers actively refused to
join, citing the fact that “I already have Facebook, Whatsapp, and
Viber. Everyone already has Facebook, Whatsapp, and Viber. Why should
I get another one, especially one that only you use, instead of you
getting on with the times?”. Fortunately, many of them are local
contacts, so SMS and voice calls are not prohibitively expensive
(although, in times of dire need, they could only be reached via
Facebook because their phones were broken, or they were abroad with the
SIM disabled, or their account had a zero credit balance for too long so
certain phone provider caps kicked in). For years, I stood my ground and
managed to avoid most of the proprietary software creep that network
services bring about. Three things have now become a serious threat to
my ability to freely choose what software I run.

1. The Google and Apple Walled Gardens

One by one, my XMPP contacts went permanently off-line. Nowadays, only
one person stuck with me using XMPP. Another one only very rarely comes
online, preferring SMS or email most of the time. Of the five contacts
who have more or less gave up on XMPP, one might have done so because we
naturally drifted apart. The rest said to me that it’s hard to keep up
with me on XMPP “because they have to manually check if there are new
messages every time”. That initially shocked me, because of course XMPP
has new message notifications. Conversations on my phone has
notifications. It took me a while, but I realised what the problem was:
Apple for a long time, and Google more recently, block background data
communications when an application goes to sleep in the background,
supposedly for power saving reasons. The only way to receive
notifications is to keep the application in the foreground, or have
notifications be pushed through their proprietary cloud servers (two
relevant bug reports:
Conversations#2775,
K9Mail#857). You can set up
your XMPP server to do that, but I refuse to, as it only further
fragments the Web. Alternatively, you need to instruct your contacts to
perform some, often vendor-specific, steps to whitelist Conversations in
the power saving settings of their Android phones (to my knowledge, that
is not even an option for Apple users). This is hard to sell to people
who only reluctantly followed you on XMPP to begin with. Their first
impression of the protocol is that “it doesn’t have notifications”.

2. You never have enough time to pitch XMPP

I study Linguistics, a field that is predominately an academic pursuit.
This means I am increasingly more often attending conferences and other
similar events. I meet very interesting people there, and I want to stay
in touch with them not only on a professional level, but also often on a
social one as well. Giving your email address is not entirely a bad
option in those circles, but it only gets you so far. From my
experience, in Western Europe, they expect to get your Whatsapp account,
and in Central Europe, your Viber one. And that is as easy as giving
them your phone number. For comparison, getting them to use XMPP
includes at least the following steps, assuming they use Android:

0. Convince them that not wanting to use Whatsapp/Viber/etc is a
legitimate option

1. Either get them to pay for Conversations on Google Play Store, or get
them to enable 3rd-party application sources and install F-Droid in
order to fetch a gratis build of Conversations

2. Direct them towards a relatively well-known XMPP account provider or
create one from them on your own server (because Conversations in-app
account creation option is a time-limited trial)

3. Mutually add each-other in your roster

4. Find out and show them how to disable battery optimisations on their
device so that Conversations can receive notifications in the background

This is a person you just met. Not even your close friends, save one or
two of them, where willing to go through these steps, and they even know
what are your principled reasons to prefer XMPP. It’s hard to even get
past Step 0 with someone who you just met and they haven’t ever thought
about user freedom before.

I think the creator of Conversations thought about this too, because
recently I found his own fork of the XMPP client,
Quicksy (also
gratis on the Google Play Store). It’s basically Conversations but with
“phone number discovery”. Essentially, during on-boarding Quicksy
creates an account on an XMPP server run by the creator of the
application (not sure if it’s a trial account), which is then listed
publicly so that “contact discovery” among users of Quicksy works.
Apparently, you can also pay a reasonable one-off fee to have your
non-Quicksy XMPP account be linked to a phone
number
, for purposes of auto-discovery –
alternatively, you manually add them on your side and they do not have
to notice the difference. I am tempted to start recommending this as a
last effort to get people to use XMPP, but let’s face it, it’s a
significant compromise. Sure, it allows me to continue use my own XMPP
server and selection of XMPP clients, but it does very little to enhance
the freedom of my partner. It’s a free client, but tied to a non-free
network. They have to trust that server administration, than neither
they or I know personally, while in the best case scenario, they would
only have to trust me when I give them an account on my server. On the
other hand, one can argue that we already have to trust that person if
we are going to use Conversations as our client anyway. That’s not an
entirely fair retort, because we have access to the source code of the
client and we don’t use his own binaries, but those provided by F-Droid
(this opens the important discussion on why programmes shouldn’t be
their own packagers, and why the distribution-specific repositories are
preferable to the likes of DockerHub, PyPI, NPM etc). The creator
himself says the following:

> The Quicksy Directory server is inherently a centralized entity and
there is no control mechanism to guarantee that we actually run the same
code we publish. Nonetheless the source code is available on Github for
review.

There’s one cynical way to spin it positively though: your conversation
partner was already going to relinquish at least as much control, if not
more, to a network service that doesn’t even federate (e.g. Whatsapp),
meaning that anyone who wants to talk to them also has to make the same
sacrifice. With Quicksy, the sacrifice affects them and them alone. The
application promises to stick as much as possible to the Conversations
UI so that transitions from Quicksy to a ‘proper’ XMPP set-up will be
facilitated.

3. Market confusion, partly of our own fault

I mentioned this already, this is not an argument about privacy. In
fact, I have came to believe that the association of free software
(well, more often of “open source”) with privacy has done our movement a
disservice. While most of the time we are careful to explain how free
software facilitates but doesn’t guarantee privacy, we have
over-emphasised that aspect for short-term gains in “market share”. I
can think of at least two consequences: dismissal, and the rise of false
saviours.

The first is a well known trope: I have nothing to hide, so I have
nothing to fear. Privacy advocates have many arguments against that
stance, but that’s not the point. What concerns me is that people who
have heard about free software (again, they probably heard of “open
source”), believe that it is just another privacy-enhancing tool that
they don’t have to bother with because they have nothing to hide. It
doesn’t bring associations of self-reliance, tinkering, communal
production, or even technical superiority (that they may or may not care
about, of course), but of obsessive concerns with privacy, digital
footprints and so on.

The other way it plays out, if they appear to care about privacy, is
that they fall for false saviours like Telegram or Signal (even Whatsapp
nowadays). Those services promote themselves as secure, and talk about
end-to-end encryption and so on. And they may do that. Like Quicksy, we
have no way of truly verifying those claims. But to an even greater
extend than Quicksy, they do not respect any of the four user freedoms.
I had some truly heartbreaking experiences trying to explain to some
people that I am not interested in joining Telegram even though “it’s
secure” because my concern is freedom first and foremost, not privacy –
unfortunately we were talking past each-other because they couldn’t not
conflate the two.

What is to be done?

Unfortunately, I don’t know. I was optimistic about free software until
recently. Libreboot in particular had me very excited. There’s not much,
but there’s enough hardware we can initialise with very little binary
blobs. Our user-facing software is amazing nowadays. Things on mobile
weren’t so great, but Cyanogen (now Lineage OS) was quite good, even
though Replicant was facing a dead-end because of lack of free drivers.
But non-free networks because so vital, that they also influence your
software choices. It’s not just that you have to use Whatsapp, it’s also
that you have to use Google Play Services to be able to use Whatsapp,
which in turns means using Android. Even if you want to use XMPP, if you
want your contacts to get notifications of your messages, you are almost
forced to use Google Cloud (and definitely forced to use Apple Cloud).
If you want to give people a similar on-boarding experience to Whatsapp,
you have to do centralisation to a great extend.

Using free software is, in my opinion, quite feasible when it’s a
single-user choice. But when you have to interact with other users,
protocols determine your choices. I am afraid that many previously
committed free software users will be socially forced to relinquish
their freedom, not because free software isn’t available or good for its
purpose, but because other people make themselves reachable only over
protocols that prohibit federation and free choice of clients and
instances. And then you are forced to treat it as an issue of personal
morality unfortunately: do you die on that hill and limit your
professional network and social group, or do you give in and as a result
make free protocols even more irrelevant, guaranteeing that an
alternative will never flourish? And what are the non-destructive
short-term concessions one can make that will still allow free software
to live to fight another day?

I have nothing to hide, so I have nothing to fear

I’ve heard this so many times that at this point I’ve stopped replying at all, and simply wait until I hear them complain. “But why do you complain? You have nothing to hide!”. If they have nothing to hide, would they give me their phone? Their search history? Medical records? Do they pay everything with debit cards, or prefer cash sometimes? Can I have a copy of their phone calls? Can I enter their home and look what they’re doing, whenever I want? And can I sell their information to whoever I want to make some money? Sometimes people just need to hit the wall to understand. Of course this is true for me as well, not with regard to free software but with other things in life it certainly is.

Of course it’s not only about privacy (they don’t want to live in a transparent house, do they?) but it’s also about control of my personal information. I want control of my personal information. I don’t want who controls apps to also control me and my data. Selling data to private companies is not hypothetical, it happens right now.

I personally don’t use any of these apps, I only use emails. It is a bit extreme, and there are some people that I don’t talk to anymore because they use whatsapp and I don’t, but at the end of the day I find that people who care about me and have the need to tell me something, they know how to use emails. And by the way they also have emails, it’s just that they use it like a pobox, they check it rarely or only if they know something is coming. So I can still write to them.

Edit: ah! And IRC of course. I use it a lot. Maybe a friendly IRC client could replace whatsapp :)

Nice post but… this is not a new user behavior and is not specific to free software either. Users just are not interested in what protocol their app is using, and they are not interested in technology. They are interested in sending a text message, the cheapest way possible. Before whatsAPP there was myspace, orkut, blackberry messenger, Yahoo messenger, MSN, Skype, AIM, ICQ, Hangouts, IRC, emails. Most of them are not open source. One day, a new app will replace whatsapp. I hope it can be a free one, but people will still not care about the technology. Is there something that you don’t care about? Jehovah’s Witnesses, maybe? That is how free software advocates sound to people that don’t care about free software. A Free Software Witness knocking at their door.

And SMS. WhatsAPP was very popular with my friends because they could cut SMS. Before WhatsAPP, ISPs would offer “1000 messages per month” plans; now they are unheard of.

The only way to receive notifications is to keep the application in the foreground, or have notifications be pushed through their proprietary cloud servers. You can set up your XMPP server to do that, but I refuse to, as it only further fragments the Web.

What do you mean that it fragments the Web? You already have one XMPP server up

  • The French government has built an open source app to replace WhatsApp and Telegram
  • Somebody else is trying to make a messaging app taking advantage of email as a protocol. Because everybody has an email address or is comfortable with using one, this has already solved the problem of creating the userbase
  • Your friends obviously don’t care about free software as much as you do. They obviously don’t want to manage a server, or are afraid you can spy on them. The fear of being spied by an acquaintance is worse than being spied by a faceless app

Yes you have valid points, except 3. It’s not our fault. Your friends are comfortable in their own place, with their choices. They are not trying to reason with you why your suggestion is better (or not), they are validating their own choices by finding reasonable excuses to justify their choice and invalidate yours. It doesn’t matter what argument you bring up, the reply will always be “yes but…” because they will win the argument like that. You’re tilting at windmills. What’s to do then? Nothing. We use free apps, they use theirs. You only write to friends who can interact with your app. It’s their apps’ fault if they’re designed in such a way that it doesn’t allow to interact outside their own walls. Your friends have to make the mental jump of deciding to change app. Maybe you can point out to them why your app is better every now and then (for instance: I can do that, but you can’t. Or: I can use my own security certificate, so my app is more secure than yours). People here say that we need to fix the “network effect” dilemma, but I say that small circles can have the same positive effect. If you can find just a few of your friends to use free apps with, others will want to participate for fear of “missing out”. Remember Gmail when it was invitation only?